diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT
index d252a244..7c87d98d 100644
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@@ -10,6 +10,12 @@
 # Last update:
 # $Id$
 
+SVN changes since 2.3.4 release (postfixadmin-2.3 branch)
+----------------------------------------------------------------
+
+  - create-domain: fix SQL injection (only exploitable by superadmins)
+  - add missing $LANG['pAdminDelete_admin_error']
+
 Version 2.3.4 - 2011/09/16 - SVN r1180 (postfixadmin-2.3 branch)
 ----------------------------------------------------------------
 
diff --git a/functions.inc.php b/functions.inc.php
index 21e6dae5..d64ac41f 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -2349,7 +2349,7 @@ function create_admin($fUsername, $fPassword, $fPassword2, $fDomains, $no_genera
             {
                 for ($i = 0; $i < sizeof ($fDomains); $i++)
                 {
-                    $domain = $fDomains[$i];
+                    $domain = escape_string($fDomains[$i]);
                     $result = db_query ("INSERT INTO " . table_by_key ('domain_admins') . " (username,domain,created) VALUES ('$fUsername','$domain',NOW())");
                 }
             }